• silicon.com
• Management
• Public Sector

By Nick Heath, 31 January 2008 17:46

NEWS

silicon.com has won a significant victory in its Full Disclosure campaign to make government toughen its data protection legislation and improve the reporting of security breaches.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The Information Commissioner's Office (ICO) is asking that "knowingly or recklessly" breaching the Data Protection Act (DPA) could be made a criminal offence, as part of a series of amendments to the act.

The change in the watchdog's attitude follows mounting support for Full Disclosure since it was launched by silicon.com in July 2007, with backing from the police, the House of Lords and security experts - including individuals such as Bruce Schneier. CEOs of organisations such as content and document protection company Workshare, data encryption company PGP and the National Consumer Council have also shown support.

Criminal charges would be brought "for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person".

Information Commissioner Richard Thomas believes an unlimited fine would be an appropriate penalty for the new offence, according to the document Data Protection Powers and Penalties.

The document, which has been sent to the Ministry of Justice (MoJ), also asks for powers for the ICO to carry out spot checks on companies and authorities processing personal data, to bring "seriously unlawful" data processing to an immediate halt and take enforcement action to prevent any breaches likely to occur.

The government has suffered many data security breaches over the past four months, including the MoD having three laptops stolen containing approximately 600,000 servicemen's and recruits' details, the NHS losing hundreds of thousands of patient records, the DVLA losing three million learner drivers' details and the HMRC losing 25 million child benefit details.

The document says the amendments to the act will have the effect of strengthening public confidence in data protection by "taking a practical, down-to-earth approach - making it easier for the majority of organisations who seek to handle personal information well and tougher for the minority who do not".

It states: "They [the amendments] would also be a significant step forward in modernising the UK's data protection regime by reflecting, in the powers of the regulator and the penalties that can be imposed, the enormous growth that has taken place in the collection and use of personal information and the associated potential for harm that can arise from unlawful processing."

The ICO says it is open to the possibility of sanctions other than criminal prosecution, suggesting a civil penalty regime based on the powers of the Financial Services Authority.

A spokesman for the MoJ said: "We are considering the Information Commissioner's proposal for new sanctions under the DPA for the most serious breaches of its principles."

The ministry said public consultation on what would be "appropriate and proportionate" sanctions were likely to take a minimum of 12 weeks and that it would then consider what changes, if any, were needed to the law.

A spokesman for the ICO said: "We have passed the document to the MoJ, we are now waiting to see whether it is going to accept our requests."

Technology lawyer for Eversheds Jonathan Armstrong said: "The possibility of criminal prosecution is something that a lot of multinationals will sit up and listen to. The only caution I have is that we are not very good at reactive legislation in this country, there needs to be guidance on what 'reckless' is going to be viewed as."